07-19-2019 02:50 PM
We are in the process of converting over to Palo Alto firewalls at our remote locations from ASA firewalls. A few of our sites now are having some strange issues when attempting to make phone calls.We are a Cisco call manager shop.
Here is a basic setup of our network:
Remote Office <-Site to site VPN tunnell-> Main Office
Voice setup between those locations:
Analog lines (connected to router) - Remote Router - Remote Palo Alto <-Site to site VPN tunnell-> Main Office ASA firewall - Main Office Call-Manager
When someone at the remote location dials a external number, the phones SOMETIMES rings busy, even when the external phone number is not actually busy (tested and verified). The call will go through to the remote number but when they answer all they get is dead air. SOMETIMES the call goes through just fine. SOMETIMES when the call works and when the external number hangs up first the call stays active on the remote office's desk phone.
We've tried turning off ALG inside the SIP application, but when we test locally by setting up the calling search space to the remote office at a main office phone where we work, we still have problems.
07-22-2019 02:44 PM
Updates! We switched the "Outgoing Transport Type" from TCP+UDP to UDP and that seems to have cleared up the issue. I have a support case open and a call tomorrow to talk about it, we'll see what they say.
01-31-2020 06:02 AM
Here you go, this is from our Voice Engineer.
Call Manager
System -> Security -> SIP Trunk Security Profile.
Select the profile you are currently using on your SIP trunk(s)
Under ‘Outgoing transport type’ – change it to UDP. Then reset. This will reset your SIP trunk(s) and disconnect any active calls.
07-20-2019 06:15 PM
So one thing I would look at is if the phones connection to CUCM is being force closed by the firewall. It's been a few years, but I remember an issue where the phones would silently have to "re-register" in a sense to the CUCM server because it wasn't sending enough keep-alive traffic to keep the connection active.
07-22-2019 02:36 AM
Is there any NAT going on?
Are you running SIP or SCCP?
can you see the SIP/SCP/RTP in session browser?
Rob
07-22-2019 05:53 AM
Is there any NAT going on?
Just to the internet, but not for the devices over the VPN
Are you running SIP or SCCP?
SIP
can you see the SIP/SCP/RTP in session browser?
Yes, but because it takes a few tries for us to get a busy signal I am not sure which logs are whitch. I just turned on log at session start to see if that helps identify what is going on when. I'll report back.
07-22-2019 02:42 PM
Hello,
Also check the logs to make sure you are not blocking/dropping any traffic.
Regards,
07-22-2019 02:44 PM
Updates! We switched the "Outgoing Transport Type" from TCP+UDP to UDP and that seems to have cleared up the issue. I have a support case open and a call tomorrow to talk about it, we'll see what they say.
01-22-2020 04:56 PM
What verison of firmware on your Palo and what version of CUCM?
I'm having a very similar set of problems as we upgraded to 9.0.4
01-23-2020 07:52 AM
We are on 9.0.2 h4 for Palo and 11.5 for Call Manager.
01-30-2020 07:42 PM
Hello I am having the same issue with a firewall that I upgraded to 9.0.5. can you please tell me how you switched the "Outgoing Transport Type" from TCP+UDP to UDP ?
I really appreciate your help.
01-31-2020 06:02 AM
Here you go, this is from our Voice Engineer.
Call Manager
System -> Security -> SIP Trunk Security Profile.
Select the profile you are currently using on your SIP trunk(s)
Under ‘Outgoing transport type’ – change it to UDP. Then reset. This will reset your SIP trunk(s) and disconnect any active calls.
02-10-2020 11:06 AM
Thank you for sharing our solution.
we made the changes last week because all of our branch offices started having the same behavior with our SIP phones.
Now all the SIP phones are working fine. we can dial out and call between our extension. seems weird that after upgrading to 9.0 we started seen this issue and with 8.1 they worked fine.
Again Thank you for helping me.
I really appreciate your help.
04-17-2020 11:38 AM
Thank you, this also solved the problem for our network as well. Moving away from an MPLS to a VPN and calls couldn't exit the remote site. Calls to the remote site worked fine. Changing to UDP worked great.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
